CVE-2026-44284 Overview
FastGPT is an AI Agent building platform affected by a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in its Model Context Protocol (MCP) tool URL handling. Prior to version 4.14.17, the application enforced SSRF protections on direct MCP preview and run endpoints but failed to validate URLs supplied to the MCP tool create and update endpoints. An authenticated user with permission to manage MCP toolsets could persist an internal endpoint such as http://localhost:3000/mcp. The stored URL was later consumed by the workflow runner without revalidation, causing the FastGPT backend to issue requests to internal destinations.
Critical Impact
Authenticated users can pivot the FastGPT backend into internal network services through stored MCP tool URLs, bypassing perimeter SSRF controls.
Affected Products
- FastGPT versions prior to 4.14.17
- FastGPT MCP toolset create and update endpoints
- FastGPT workflow runner consuming stored MCP URLs
Discovery Timeline
- 2026-05-08 - CVE-2026-44284 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-44284
Vulnerability Analysis
The vulnerability is an inconsistent SSRF protection gap in FastGPT's MCP integration. The direct MCP preview and run endpoints already rejected internal and private network URLs at request time. However, the create and update endpoints for MCP toolsets did not apply the same validation, allowing internal URLs to be persisted to storage. When workflow execution later loaded the stored tool definition, no revalidation was performed before connecting to the destination. This time-of-check / time-of-use gap converts the validation oversight into a stored SSRF primitive usable across workflow runs.
Root Cause
The root cause is missing centralized URL validation in the MCP tool persistence path. The function responsible for asserting that an MCP URL was not internal was only invoked on preview and run flows, not on create, update, or downstream workflow dispatch. The fix introduces a shared assertMCPUrlNotInternal helper in packages/service/core/app/mcp.ts and invokes it from the workflow tool dispatcher.
Attack Vector
An authenticated user with permission to create or manage MCP toolsets submits a tool definition pointing to an internal address such as http://localhost:3000/mcp or a private RFC1918 host. The URL is accepted and stored. When the toolset is referenced by an agent workflow, the FastGPT backend connects to the internal endpoint on the user's behalf, returning response data into the workflow context.
// Patch: packages/service/core/app/mcp.ts
import { UserError } from '@fastgpt/global/common/error/utils';
import $RefParser from '@apidevtools/json-schema-ref-parser';
import { getLogger, LogCategories } from '../../common/logger';
+import { isInternalAddress, PRIVATE_URL_TEXT } from '../../common/system/utils';
const logger = getLogger(LogCategories.MODULE.APP.MCP_TOOLS);
+export const assertMCPUrlNotInternal = async (url: string) => {
+ if (await isInternalAddress(url)) {
+ return Promise.reject(PRIVATE_URL_TEXT);
+ }
+};
export class MCPClient {
private client: Client;
private url: string;
Source: GitHub Commit c1c6b95
The workflow dispatcher was updated to import and call the new assertion before dispatching the tool, closing the revalidation gap in packages/service/core/workflow/dispatch/ai/agent/sub/tool/index.ts.
Detection Methods for CVE-2026-44284
Indicators of Compromise
- Stored MCP tool definitions referencing localhost, 127.0.0.1, ::1, 169.254.169.254, or RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
- FastGPT backend outbound connections to internal hosts originating from the workflow runner process.
- MCP toolset create or update API calls submitted by non-administrator accounts containing internal hostnames.
Detection Strategies
- Audit the MCP toolset collection in FastGPT's database and flag any url field resolving to a private, loopback, or link-local address.
- Review application logs for MCP tool create and update events occurring before the upgrade to 4.14.17.
- Inspect egress firewall logs for FastGPT backend connections targeting internal infrastructure that are not part of expected integrations.
Monitoring Recommendations
- Enable egress traffic monitoring on the FastGPT backend host and restrict outbound destinations to an allow list.
- Forward FastGPT application and API access logs to a centralized log platform for retention and rule-based alerting on MCP endpoint activity.
- Alert on workflow executions that resolve MCP URLs to internal IP space.
How to Mitigate CVE-2026-44284
Immediate Actions Required
- Upgrade FastGPT to version 4.14.17 or later, which introduces the assertMCPUrlNotInternal validation across persistence and dispatch paths.
- Audit existing MCP toolsets and remove or update any tool URL pointing to internal, loopback, or metadata service addresses.
- Restrict the role or permission that allows creating and managing MCP toolsets to trusted administrators.
Patch Information
The fix is delivered in FastGPT v4.14.17 via Pull Request #6826 and commit c1c6b95. Full advisory details are available in GHSA-cxxj-99f7-f5wq.
Workarounds
- Place the FastGPT backend behind an egress proxy that denies connections to loopback, link-local, and RFC1918 destinations.
- Temporarily disable the MCP tool create and update endpoints for non-administrative users until the upgrade is applied.
- Manually purge any stored MCP tool entries whose URL resolves to an internal address before re-enabling workflows.
# Upgrade FastGPT to the patched release
docker pull ghcr.io/labring/fastgpt:v4.14.17
docker compose down
docker compose up -d
# Verify version
curl -s http://<fastgpt-host>/api/common/system/getInitData | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
